In-Depth

News in Brief

Win2K buffer overflow threat; new BindView security products

• By Mathew Schwartz
• 03/26/2003

Win2K Buffer Overflow

Windows 2000 administrators face a new threat, dubbed the Internet Information Server (IIS)WebDAV URL overflow. If an attacker can establish a Web session with the affected server, and if the administrator isn’t running URLScan—part of the IIS Lockdown Tool (which in its default configuration will block this attack)—then they’re vulnerable to an unchecked buffer overflow.

One possible exploit of the vulnerability would send a specially formed HTTP request to a machine running ISS which would then either crash the machine or make it run code of the attacker’s choosing. Microsoft gives this vulnerability a “critical” severity rating. Note that ISS runs by default on all Windows 2000 servers.

A tool for exploiting the vulnerability was circulating before Microsoft was aware of the problem, which was allegedly used to compromise a U.S. military Web site.

Some users reported that the initial hotfix for this problem crashed their machines. For certain machines, until that issue is resolved, Microsoft’s suggested workaround is to disable IIS, run the IIS Lockdown tool, or to run the URL Buffer Size Registry tool to restrict the buffer subject to this vulnerability.

You'll find the patch here:http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

New Enterprise Firewall and Internet Security Tools

BindView Corp. released new versions of bv-Control for Check Point FireWall-1, and bv-Control for Internet Security after completing field trials with enterprise customers. Both products enhance firewall security and help administrators quickly find and fix security holes that hackers could use to penetrate network servers. Administrators can proactively scan their infrastructure for security holes and vulnerabilities, not unlike a hacker looking to exploit network vulnerabilities. The software reports which holes exist, their location, and how to repair them (in some cases automatically).

The CERT Coordination Center predicts that the number of vulnerabilities doubles every year. With more than 4,100 reported in 2002, security administrators can expect more than 7,000 vulnerabilities this year. BindView says its new firewall and Internet security products will help them mitigate that growing list of potential exploits. “Recent attacks, such as the SQL Slammer, demonstrate the need for organizations to quickly detect and address network vulnerabilities,” notes Eric Pulaski, president and CEO of BindView.

For more information, see: http://www.bindview.com/